CypherCon 2024

I’m the Captain Now: True Story of a Web Worker Watering Hole Attack

Jarrod Coulter

Abstract:

In this presentation we’ll discuss the use of browser web workers to create watering hole attacks as part of a red team initial access campaign. How to take over the ship (browser) as it were. We’ll describe web workers, the typical uses, and how Red Teams can abuse them to gain initial access to an environment. We’ll start with an example from the speaker’s past which leverages them on an actual campaign, discuss additional use cases for today, and then discuss more modern approaches.

Jarrod Coulter

Has Rootz!

Jarrod¬†Coulter¬†has spent half his career defending against attackers and half his career behaving like them. He’s had the privilege of establishing Security Operations Centers and Red Teams for Fortune 500 companies as well as performing boutique consulting engagements as a red teamer. Jarrod has a deep passion for giving back to the security community, running his own security conference, engaging with the community through MeetUps and participating in CCDC on the Red Team for local and regional events. Jarrod’s life goal is to level up both Red and Blue teams, punch miscreants in the face and drink their tears (miscreant tears, not Red and Blue team tears).